Reading Time: 8 mins.
Overview:
In an era of data breaches and cyber attacks, it is crucial to safeguard your website from hackers and fraudsters. One of the most recommended and standard ways to protect your site is through Secure Sockets Layer (SSL) – an encryption-based internet security protocol for ensuring data integrity. Obviously, the demand for offering the vital SSL/TLS certificates has seen tremendous growth, in both paid and open-source categories. In such a queue, Let’s Encrypt is the go-to option for many when it comes to a free and open-source certificate authority.
This article will walk you through the how-to of securing Nginx and Apache web server with Let’s Encrypt on Ubuntu 18.04.
Pre-requisites:
- A Ubuntu 18.04 setup with a sudo non-root user and firewall.
- A registered domain name, for example, www.sample.com will be used here.
- A completely installed Nginx with a Server Block for your domain. Need to install Nginx with a server block on your system? Visit, Installing Nginx on Ubuntu 18.04 and Setting Up Nginx Server Blocks for Magento
- A fully installed Apache server with a Virtual Host for your domain. Go to Installing and Setting Virtual Hosts for Apache on Ubuntu 18.04
Installing SSL certificate for Nginx and Apache on Ubuntu 18.04
As it is important to use the advanced Certbot packages, let’s use the Ubuntu software repository maintained by the Certbot developers instead of the one provided by the Ubuntu team (as it may be outdated).
Step 1: Installing Certbot in Nginx
Include the repository as follows,
sudo add-apt-repository ppa:certbot/certbot
Next, to install Certbot Nginx package, use the command,
sudo apt install python-certbot-nginx
Enabling Firewall rules
Here, you need to adjust the firewall rules in order to allow the HTTPS traffic. Upon the installation of Nginx, you might have enabled a few profiles, to check-in those settings, type,
sudo ufw app list
Output
Available applications: CUPS Nginx Full Nginx HTTP Nginx HTTPS OpenSSH
Now, to allow HTTPS, type the following,
sudo ufw allow 'Nginx Full' sudo ufw status
Output
Status: active To Action From -- ------ ------ OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
Step 2: Installing Certbot in Apache
The same outdated concern applies to the Apache webserver too. Instead of the Apache packages from Ubuntu, let’s use the Ubuntu-Apache repository from Certbot.
sudo add-apt-repository ppa:certbot/certbot
Install the Certbot Apache packages using the command,
sudo apt install python-certbot-apache
Enabling Firewall rules
Post the installation of Apache packages, you need to configure the firewall rules to allow HTTPS traffic to the webserver. Nevertheless, Apache comes with some profiles, to view the existing setting, type,
sudo ufw app list
Available applications: Apache Apache Full Apache Secure OpenSSH
Now, type the following command to let in the HTTPS traffic.
sudo ufw allow 'Apache Full' sudo ufw status
Output
Status: active To Action From -- ------ ------ OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6)
Step 3: Installation of SSL certificate in Nginx
The server block setup:
1) Open the configuration file called
sudo nano /etc/nginx/sites-available/sample.com
2) Make sure you have the server_name directive like below
Server
{
listen 80;
- - - - -
server_name sample.com www.sample.com;
- - - - -}
3) During the SSL certification creation, the webserver must listen on port 80.
Before creating an SSL certificate, you need to check for syntax errors. To do so, use the following command,
sudo nginx -t
Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Once the syntax is found to be correct, restart Nginx.
For restarting Nginx service, type:
sudo service nginx restart
Let’s check the status of Nginx service.
sudo service nginx status
Output
nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-06-03 11:00:37 UTC; 3s ago Docs: man:nginx(8) Process: 3049 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS) Process: 3063 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 3052 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 3065 (nginx) Tasks: 2 (limit: 1152) CGroup: /system.slice/nginx.service ├─3065 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; └─3068 nginx: worker process Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Stopped A high performance web server and a reverse proxy server. Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Starting A high performance web server and a reverse proxy server... Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument Jun 03 11:00:37 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Started A high performance web server and a reverse proxy server.
Step 4: Creation of SSL certificate
To use the Nginx plugin for necessary reconfiguration and reloading, use the below command,
sudo certbot --nginx -d sample.com -d www.sample.com
Submit your email address and agree to the terms and conditions for the Certbot to verify the authenticity of the domain for which you’ve requested a certificate.
Output
sudo certbot --nginx -d sample.com -d www.sample.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): testing@gmail.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for sample.com http-01 challenge for www.sample.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/sample.com Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/sample.com Next, you’ll be prompted on how you’d like to configure your HTTPS settings on your Nginx web server. Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/sample.com Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/sample.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://sample.com andWant to Acquire Sample.com?You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sample.com https://www.ssllabs.com/ssltest/analyze.html?d=www.sample.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Upon successful completion, you will be shown a confirmation message like below. IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sample.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sample.com/privkey.pem Your cert will expire on 2020-09-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Step 5: Installation of SSL certificate in Apache
The server block setup:
1) Open the configuration file called
sudo nano /etc/apache2/sites-available/sample.com
2) Make sure you have the server_name directive like the below one,
<VirtualHost *:80> ServerName sample.com ServerAlias www.sample.com </VirtualHost>
3) During the creation of SSL certificate, ensure that the webserver listens on port 80.
Before creating SSL certificate, check for any syntax error using the following command,
sudo apache2ctl configtest
Output
Syntax OK
If the syntax were found to be correct, reload the Apache server to be updated with the new configuration.
For reloading Apache service, type:
sudo systemctl reload apache2
Let’s check the status of Apache service.
sudo service apache2 status
Output
apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Drop-In: /lib/systemd/system/apache2.service.d └─apache2-systemd.conf Active: active (running) since Wed 2020-06-03 11:17:55 UTC; 5s ago Process: 4628 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS) Process: 4633 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS) Main PID: 4649 (apache2) Tasks: 55 (limit: 1152) CGroup: /system.slice/apache2.service ├─4649 /usr/sbin/apache2 -k start ├─4652 /usr/sbin/apache2 -k start └─4653 /usr/sbin/apache2 -k start Jun 03 11:17:55 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Stopped The Apache HTTP Server. Jun 03 11:17:55 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Starting The Apache HTTP Server... Jun 03 11:17:55 ubuntu-s-1vcpu-1gb-blr1-01 systemd[1]: Started The Apache HTTP Server. lines 1-18/18 (END)
Step 6: Creation of SSL certificate in Apache
For the creation of SSL certificates in Apache, you need to use the Apache plugin for the required reconfiguration and reloading purposes.
sudo certbot --apache -d sample.com -d www.sample.com
To confirm your domain authenticity for which you’ve been requesting the SSL certificate, you need to submit your mail address to Certbot prompt and agree to its terms and conditions.
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): testing@gmail.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for sample.com http-01 challenge for www.sample.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/sample.com Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/sample.com At next, you’ll be prompted on how you’d like to configure your HTTPS settings on your Apache web server. Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the web server configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/apache2/sites-enabled/sample.com Redirecting all traffic on port 80 to ssl in /etc/apache2/sites-enabled/sample.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://sample.com andWant to Acquire Sample.com?You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sample.com https://www.ssllabs.com/ssltest/analyze.html?d=www.sample.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Upon successful completion, you will be shown a confirmation message like below. IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sample.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sample.com/privkey.pem Your cert will expire on 2020-09-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Conclusion:
In this article, you have learned the significance of securing your website and also, get to know about Let’s Try, a preferred choice by the majority of customers when it comes to an open-source and free certificate authority. The article touches upon the various stages and steps involved in obtaining the SSL certificates such as Certbot installation, firewall configuration, and SSL certificate creation in both the Apache and Nginx web servers on your Ubuntu 18.04 system.